Search

Why Smart Cards Are Smart

If you use GPG keys, learn about the benefits to storing them on a smart card.

GPG has been around for a long time and is used to secure everything
from your email to your software. If you want to send an email to
someone and be sure that no one else can read or modify it, GPG
signing and encryption are the main method you'd use. Distributions use
GPG to sign their packages, so you can feel confident that the ones you
download and install from a package mirror have not been modified from
their original state. Developers in many organizations follow the best
practice of GPG-signing any code they commit to a repository. By signing
their commits, other people can confirm that the changes that claim to
come from a particular developer truly did. Web-based Git front ends
like GitHub and GitLab let users upload their GPG public keys, so when
they do commit signed code, the interface can display to everyone else
that it has been verified.

Yet, all of the security ultimately comes down to the security of
your private key. Once others have access to your private key, they
can perform all of the same GPG tasks as though they were you. This
is why you are prompted to enter a passphrase when you first set up
a GPG key. The idea is that if attackers are able to copy your key,
they still would need to guess your password before they could use the
key. For all of the importance of GPG key security, many people still
just leave their keys in ~/.gnupg directories on their filesystem and
copy that directory over to any systems where they need to use GPG.

There is a better way. With OpenPGP smart cards, you can store your keys on
a secure device that's protected with a PIN and not only store your keys
more securely, but also use them more conveniently. Although some laptops come
with integrated smart card readers, most don't. Thankfully, these devices
are available as part of multi-function USB security token devices from
a number of different vendors, and Linux Journal has published reviews of such
products in the past. In this article, I discuss
all the reasons OpenPGP smart cards are a better choice for storing
your keys than your local filesystem.

Reason 1: Tamper-proof Key Storage

One of the main benefits of a smart card is that it stores your GPG keys
securely. When you store your keys on a filesystem, anyone who can access
that filesystem can copy off the keys. On a smart card, once keys go in,
they never leave, neither accidentally nor from tampering. The smart card
chips themselves are designed to be tamper-proof and resist attempts to
extract key data even when someone has physical access. By putting keys
on a smart card, you can have a reasonable assurance that your keys are
safe, even from a determined attacker.

Reason 2: GPG Operations Happen on the Card

The next benefit to smart cards is related to the tamper-proof nature
of the key storage. Because the private keys never can leave the smart
card, all of your GPG operations happen on the smart card itself! When
your GPG keys are on your filesystem, each time you encrypt, decrypt
or sign something, your keys are unlocked and are copied to RAM so the CPU
can perform the GPG operations. With a smart card, the keys never leave
the device, and the smart card itself performs the GPG operations. GPG is
smart card-aware, so it sends the payload over USB to the smart card,
the smart card encrypts, decrypts or signs it, and then it sends the
output back over USB to the computer.

The fact that operations happen on the card is important, because it's
further assurance that your private keys aren't exposed, even if you use
your smart card on an untrusted machine. Even if attackers had remote
access to the untrusted machine and could guess your PIN, they could, at
best, temporarily use your keys to encrypt, decrypt or sign something. They
still could not extract your keys or use them indefinitely—the moment
you unplug your smart card, the keys fall out of their grasp.

Reason 3: Portability

One of the other benefits of smart cards is portability. It's true that
laptops are pretty portable, and you could, in theory, take one with you
everywhere you go (if you are a site reliability engineer that's on call,
this might be the case). The reality is that most people leave their
computers unattended at least some of the time. If you travel somewhere,
you might bring a laptop, but in many cases, you'll probably also leave
it in a hotel.

If you have more than one computer, you are faced with having to copy GPG
keys around to each one on which you intend to use those keys. In that case,
these limitations on portability become a problem, because you aren't
going to have each of those laptops in your possession at all times.
Laptops get lost and stolen, and an attacker with physical access to the
laptop might be able to get access to your GPG keys. Even if the laptop
has disk encryption, a savvy attacker could use a cold boot attack to get
copies of disk unlock keys still present in RAM on a suspended machine.

When your GPG keys are on a smart card, you can put the USB security
token in your purse or pocket (I've found the watch pocket in jeans to
be a great place) and have it with you at all times. This portability
means you don't have to worry about copying your GPG keys to each of
your machines. Instead, you can just insert your smart card when you need
to use the keys and then remove it when you are done. Even if you want
to leave your smart card attached to your computer while you use it,
you can (and should) still remove it when you step away from the computer
so it's always with you. Some USB security tokens even offer an NFC
interface so you can use your keys on your smart phone.

Reason 4: Multi-factor Authentication

The final benefit to smart cards is that it enforces multi-factor
authentication on your GPG keys. Ideally, GPG keys are protected by two
different factors: something you have (the key itself) and something
you know (the password to unlock the key). When you store your keys on
a filesystem, multi-factor authentication is optional. When you first
generate your keys, you are prompted to generate a password to protect
them, but you are allowed to skip that step and generate keys without
password protection.

If you are in an organization that wants to enforce multi-factor
authentication on GPG keys, a smart card is a simple way to do it. Smart
cards require users to enter a PIN to unlock the key, and GPG will
automatically prompt users to enter their smart card and then type
in the PIN whenever that particular key is being used.

Conclusion

I hope you've found this discussion of the benefits of OpenPGP smart
cards useful. With the large market of USB security tokens out there
(which has grown even larger with the interest in secure cryptocurrency
storage), you have a lot of options to choose from in a number of price
ranges. Be sure to check which GPG key sizes and algorithms a smart
card supports before you buy it, especially if you use newer elliptic
curve algorithms or larger (3072- or 4096-bit) RSA keys.

Resources

Kyle Rankin is a Tech Editor and columnist at Linux Journal and the Chief Security Officer at Purism. He is the author of Linux Hardening in Hostile Networks, DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, Knoppix Pocket Reference, Linux Multimedia
Hacks and Ubuntu Hacks, and also a contributor to a number of other O'Reilly books. Rankin speaks frequently on security and open-source software including at
BsidesLV, O'Reilly Security Conference, OSCON, SCALE, CactusCon, Linux World Expo and Penguicon. You can follow him at @kylerankin.